Tag Archive for: decoupling

China’s use of foreign open-source software, and how to counter it

The Wall Street Journal recently exposed a 2022 Chinese government directive, named Document 79, that requires state-owned enterprises to replace proprietary foreign software such as operating systems, email services and word processors in their IT systems with Chinese-built versions by 2027. It was part of Beijing’s multi-decade effort to become technologically self-sufficient in the face of strategic competition from other countries, and it’s using open-source software as a means to close the technological gap. 

This poses a dilemma for the US, Australia and its partners. Since open-source software is shared freely and developed collaboratively, China’s efforts to develop local versions forces democracies to decide whether they should allow their own software engineers to contribute to Chinese projects that may end up modernising the country’s military, intelligence and political systems.  

China’s pursuit of open-source software started in the 1990s when Gong Ming, the founder of Beijing Ningsi Software (aka Linx Software), transferred copies of the Linux operating system from Finland to China. For that action, Gong is now known as the father of China’s Linux and continues to develop software for the government. This includes software for the Ministry of State Security (MSS), which has been central in shaping Beijing’s policies to build its own open-source ecosystem that it can control. 

Operating systems and other critical software are important because they can pose significant cybersecurity risks if their vulnerabilities are not patched, as made evident by EternalBlue, a computer exploit developed by the US National Security Agency. That’s why Beijing has long been suspicious of foreign operating systems such as Windows and macOS, worrying that foreign governments could be hoarding vulnerabilities that they could exploit to cripple the Chinese government’s computer networks. 

In response to these concerns, China is making some progress in developing indigenous operating systems. Gong’s company Linx Software was one of many that helped launch China’s first version of an open-source desktop operating system, OpenKylin, in 2023. According to Linx Software’s website, the MSS and other provincial state security departments now use Linx’s security servers and operating systems. 

Another reason behind China’s development of local software is the country’s dependency on foreign operating systems and the risk of regulatory interception by Western governments. Windows is still the dominant operating system in China, which means the US and its partners could respond to aggression from Beijing by forcing Microsoft, through legislation or export controls, to revoke its software licences or stop supporting Chinese companies. In 2020, two Chinese universities were prevented under US Export Administration Regulations from using the US software MATLAB, due to their ties with the Chinese armed forces.   

China’s security establishment understood as early as 1999 that dependence on proprietary foreign software was a vulnerability. He Dequan, an academician with the Chinese Academy of Engineering, that year proposed developing strategic technologies for information security. He called for China to develop its own operating system. 

In 2001, Zhu Rongji, then premier of China’s State Council, told government departments to study He Dequan’s information security concepts and formulate relevant policies. The views of He were likely taken seriously by senior Chinese leaders because he wasn’t just another academic; he was also an influential intelligence officer. In 2000, the People’s Daily referred to He as the director of the Science and Technology Commission of the MSS. According to ASPI analysis of other publicly available information, he was also likely a director of the 16th Bureau of the MSS, which researches and develops information technology applications.  

While Beijing’s policies are starting to erode the dominance of Windows in China, local companies have so far only built alternatives that use existing open-source software. For example, the first version of Huawei’s mobile operating system, HarmonyOS, had no discernible differences from Google’s Android. The large language model (LLM) Yi-34B, released by Kaifu Lee’s startup 01.AI based in Beijing, shares the same architecture as Meta’s open-source LLM, Llama, a fact that was acknowledged only after other developers pointed it out. And OpenKylin  is considered to be a remix of Ubuntu, an open-source version of the Linux operating system. 

In China’s efforts to build its own open-source software, it’s not surprising that Linux is one example of a Western operating system that’s being emulated. Linux has been one of the most secure operating systems, thanks to a global open-source community of engineers hunting for vulnerabilities and patching software bugs. Operating systems can still have unknown bugs or vulnerabilities that foreign intelligence agencies could exploit, even if they’re built by trusted engineers.  

That explains why new Chinese open-source platforms are relying on foreign talent to grow. Gitee is a state-backed alternative to GitHub, Microsoft’s open-source coding platform. It is one of the few Chinese websites that allows users to sign up using Google accounts, suggesting it wants overseas developers to contribute to its projects.  

At the same time, Beijing is blocking foreign options to manipulate the domestic market. Hugging Face, a popular French-US open-source platform that hosts machine-learning models and tools, was reportedly made inaccessible in China last year. Likewise, there are questions about how long GitHub will remain accessible in China.  

So should the US and other democracies prevent their own software engineers contributing to Chinese open-source projects? It’s a difficult call to make because the two sides are increasingly intertwined. For example, the Chinese artificial intelligence firm iFlytek, which was sanctioned in 2019 over its role in human rights violations and abuses of Uyghur Muslims and other ethnic groups, has repositories on GitHub and a joint project with the Harbin Institute of Technology on Hugging Face. 

As long as democracies are locked in strategic competition with China and Xi Jinping continues to signal that he is willing to use force to reshape the world order, they should restrict developers contributing to projects on Gitee and other platforms controlled by the Chinese Communist Party (CCP). This will prevent developers from supplying the next generation of critical software and AI technologies and unwittingly helping Beijing gain a military advantage. At a minimum, democratic governments should raise public awareness of the involvement of China and other authoritarian regimes in emerging open-source software platforms.  

For global open-source communities, there should be an international code of conduct that promotes transparency about project funding sources and contributors, supports ethical decisions and addresses concerns about open-source technologies being used for harmful purposes. 

Democratic governments also need to reassess which products should not be made open-source because they’re at risk of being weaponised by malign actors. Some cutting-edge software, such as generative AI, is already being co-opted by the CCP against democracies in disinformation campaigns.  

Lastly, governments should protect and foster the global open-source community of software developers, who are a critical resource in cybersecurity and other key areas, and do more to challenge authoritarian governments when they ban or censor open-source platforms like Hugging Face and GitHub.

China’s use of foreign open-source software, and how to counter it

The Wall Street Journal recently exposed a 2022 Chinese government directive, named Document 79, that requires state-owned enterprises to replace proprietary foreign software such as operating systems, email services and word processors in their IT systems with Chinese-built versions by 2027. It was part of Beijing’s multi-decade effort to become technologically self-sufficient in the face of strategic competition from other countries, and it’s using open-source software as a means to close the technological gap. 

This poses a dilemma for the US, Australia and its partners. Since open-source software is shared freely and developed collaboratively, China’s efforts to develop local versions forces democracies to decide whether they should allow their own software engineers to contribute to Chinese projects that may end up modernising the country’s military, intelligence and political systems.  

China’s pursuit of open-source software started in the 1990s when Gong Ming, the founder of Beijing Ningsi Software (aka Linx Software), transferred copies of the Linux operating system from Finland to China. For that action, Gong is now known as the father of China’s Linux and continues to develop software for the government. This includes software for the Ministry of State Security (MSS), which has been central in shaping Beijing’s policies to build its own open-source ecosystem that it can control. 

Operating systems and other critical software are important because they can pose significant cybersecurity risks if their vulnerabilities are not patched, as made evident by EternalBlue, a computer exploit developed by the US National Security Agency. That’s why Beijing has long been suspicious of foreign operating systems such as Windows and macOS, worrying that foreign governments could be hoarding vulnerabilities that they could exploit to cripple the Chinese government’s computer networks. 

In response to these concerns, China is making some progress in developing indigenous operating systems. Gong’s company Linx Software was one of many that helped launch China’s first version of an open-source desktop operating system, OpenKylin, in 2023. According to Linx Software’s website, the MSS and other provincial state security departments now use Linx’s security servers and operating systems. 

Another reason behind China’s development of local software is the country’s dependency on foreign operating systems and the risk of regulatory interception by Western governments. Windows is still the dominant operating system in China, which means the US and its partners could respond to aggression from Beijing by forcing Microsoft, through legislation or export controls, to revoke its software licences or stop supporting Chinese companies. In 2020, two Chinese universities were prevented under US Export Administration Regulations from using the US software MATLAB, due to their ties with the Chinese armed forces.   

China’s security establishment understood as early as 1999 that dependence on proprietary foreign software was a vulnerability. He Dequan, an academician with the Chinese Academy of Engineering, that year proposed developing strategic technologies for information security. He called for China to develop its own operating system. 

In 2001, Zhu Rongji, then premier of China’s State Council, told government departments to study He Dequan’s information security concepts and formulate relevant policies. The views of He were likely taken seriously by senior Chinese leaders because he wasn’t just another academic; he was also an influential intelligence officer. In 2000, the People’s Daily referred to He as the director of the Science and Technology Commission of the MSS. According to ASPI analysis of other publicly available information, he was also likely a director of the 16th Bureau of the MSS, which researches and develops information technology applications.  

While Beijing’s policies are starting to erode the dominance of Windows in China, local companies have so far only built alternatives that use existing open-source software. For example, the first version of Huawei’s mobile operating system, HarmonyOS, had no discernible differences from Google’s Android. The large language model (LLM) Yi-34B, released by Kaifu Lee’s startup 01.AI based in Beijing, shares the same architecture as Meta’s open-source LLM, Llama, a fact that was acknowledged only after other developers pointed it out. And OpenKylin  is considered to be a remix of Ubuntu, an open-source version of the Linux operating system. 

In China’s efforts to build its own open-source software, it’s not surprising that Linux is one example of a Western operating system that’s being emulated. Linux has been one of the most secure operating systems, thanks to a global open-source community of engineers hunting for vulnerabilities and patching software bugs. Operating systems can still have unknown bugs or vulnerabilities that foreign intelligence agencies could exploit, even if they’re built by trusted engineers.  

That explains why new Chinese open-source platforms are relying on foreign talent to grow. Gitee is a state-backed alternative to GitHub, Microsoft’s open-source coding platform. It is one of the few Chinese websites that allows users to sign up using Google accounts, suggesting it wants overseas developers to contribute to its projects.  

At the same time, Beijing is blocking foreign options to manipulate the domestic market. Hugging Face, a popular French-US open-source platform that hosts machine-learning models and tools, was reportedly made inaccessible in China last year. Likewise, there are questions about how long GitHub will remain accessible in China.  

So should the US and other democracies prevent their own software engineers contributing to Chinese open-source projects? It’s a difficult call to make because the two sides are increasingly intertwined. For example, the Chinese artificial intelligence firm iFlytek, which was sanctioned in 2019 over its role in human rights violations and abuses of Uyghur Muslims and other ethnic groups, has repositories on GitHub and a joint project with the Harbin Institute of Technology on Hugging Face. 

As long as democracies are locked in strategic competition with China and Xi Jinping continues to signal that he is willing to use force to reshape the world order, they should restrict developers contributing to projects on Gitee and other platforms controlled by the Chinese Communist Party (CCP). This will prevent developers from supplying the next generation of critical software and AI technologies and unwittingly helping Beijing gain a military advantage. At a minimum, democratic governments should raise public awareness of the involvement of China and other authoritarian regimes in emerging open-source software platforms.  

For global open-source communities, there should be an international code of conduct that promotes transparency about project funding sources and contributors, supports ethical decisions and addresses concerns about open-source technologies being used for harmful purposes. 

Democratic governments also need to reassess which products should not be made open-source because they’re at risk of being weaponised by malign actors. Some cutting-edge software, such as generative AI, is already being co-opted by the CCP against democracies in disinformation campaigns.  

Lastly, governments should protect and foster the global open-source community of software developers, who are a critical resource in cybersecurity and other key areas, and do more to challenge authoritarian governments when they ban or censor open-source platforms like Hugging Face and GitHub.

The next globalisation

Is globalisation coming back to life? That was the big question at the World Economic Forum’s annual meeting in Davos, where WEF founder Klaus Schwab asked whether it is possible to have cooperation in an era of fragmentation.

For the past decade, the steady demise of ‘Davos man’—the avatar of global business and cosmopolitanism—was the big story here, owing to the 2008 financial crisis, Brexit, Donald Trump’s election, democratic backsliding around the world, Covid-19 and Russia’s war in Ukraine. All were seen as signs that globalisation had gone too far and would be thrown into reverse.

But the mood at this year’s meeting was slightly more optimistic. Despite much concern about conflict and economic strife, the world seems to be doing a little better than global elites expected when they last met in May. The Ukrainians are valiantly resisting the Russian invaders, the West is united, Europe has managed to keep the lights on this winter, and some think we might still avoid a recession.

Beneath these important short-term developments is a more profound shift towards a new form of globalisation, albeit one that will be quite different from what preceded it. While the globalisation of goods seems to have peaked, services are becoming ever more globalised, owing to the revolution in telework during the pandemic.

There is also an accelerating revolution in energy, driven partly by the war in Ukraine. European Commission President Ursula von der Leyen and German Chancellor Olaf Scholz predict that the widespread adoption of renewables and hydrogen power will be as significant as the industrial revolution of the 19th century. At the same time, advances in artificial intelligence are opening vast new possibilities, while also creating tensions over microchips and renewed fears about joblessness and rogue robots.

Developments in all three areas—telework, renewables and AI—will bind countries together in new networks of interdependence. As a recent McKinsey Global Institute report shows, ‘no region is close to being self-sufficient’.

But the re-globalisation glimpsed in Davos will be fundamentally different from previous iterations. First, while the old model was about corporate profits, the new one is about national security in all its dimensions. Western countries have portrayed the war in Ukraine as a defence of the liberal, rules-based order against unilateral aggression by Russia (and, by extension, China). They are therefore busy decoupling from Russia and rethinking their economic ties with China. In Davos, Canadian Finance Minister Chrystia Freeland was just one of many policymakers who stressed the need for ‘friend-shoring’.

But to many outside the West, Europe and America are just as guilty of disrupting the global order as Russia and China are—with enormous consequences for their own security and prosperity. The way they see it, the West made a decision to turn the war into an economic conflict (through the most ambitious and far-reaching sanctions package in history) with devastating consequences for billions of people.

Back in Davos’s halcyon days, the dollar-based financial system was seen as a global public good that would spread prosperity to every corner of the world. But now it is increasingly seen as a cudgel with which America can enforce its ideological and strategic preferences. The sanctions on Russia follow the same pattern of Western policies used to prosecute the ‘war on terror’ and the fight against nuclear proliferation in Iran and North Korea.

As the French bank BNP Paribas learned in 2014, when it was fined more than US$8 billion for violating US sanctions, such policies have become a global dragnet whose effectiveness relies on the outright politicisation of global systems that were previously considered neutral (in principle if not in fact).

Now that the genie has been let out of the bottle, others are also politicising the global framework of rules and norms. The European Union, for example, is considering a new carbon tariff on imports, and it has already taken measures to prevent its citizens’ data from being stored beyond its borders.

The US, for its part, has only doubled down, such as by imposing sweeping bans on the sale of strategically important technologies to China. The result is not simply a Balkanisation of knowledge. All countries are now going to greater lengths to guard against the risks of interdependence.

Another trend that will differentiate the next age of globalisation may prove even more consequential. Whereas Britain and America were, respectively, at the centre of the first two waves of globalisation, this new one will be multipolar and thus multi-ideological. China has not only closed the economic gap with America, but has surpassed it as the biggest trading partner to most countries in the world. That implies a major shift in the balance of economic power.

This new dynamic suggests that the world will be divided not only by nationalism but by fundamentally different ideas about order. Davos attendees got a flawless illustration of this when Ukrainian President Volodymyr Zelensky beamed in to deliver a speech calling on the world to rally against Russia’s unprovoked war. While half the audience cheered enthusiastically, the other half appeared unmoved. Even if many sympathise with the Ukrainians, they fear that the conflict is being used to precipitate a Cold War 2.0 that will divide the world into democracies and autocracies.

That is the last thing most political leaders want. In private discussions, African, Middle Eastern and Latin American leaders complain that their countries suffered a loss of sovereignty and control during the first Cold War. For them, there is little to be gained from having to pick sides yet again.

Even America’s allies are against having to choose. I spoke to a Japanese tycoon who is very worried about Beijing’s foreign policy but also vehemently opposed to decoupling from China. And in his own speech to the conference, Scholz declared that the world of 2045 would not be bipolar but multipolar.

Ultimately, Schwab may be right to hope for cooperation in our time of fragmentation. But we must bear in mind how the next globalisation will differ fundamentally from the last one.